Information Security Adaption: Survival In An Evolving Threat Landscape. Carl Herberger VP, Security Solutions, Radware

Transcription

1 Information Security Adaption: Survival In An Evolving Threat Landscape Carl Herberger VP, Security Solutions, Radware

2 The Evolving Threat Landscape Anatomy of an Attack Securing Tomorrow s Perimeter

3 The Evolving Threat Landscape

4 More Attacks. More Often.

5 Latency Yesterday for US Commercial Banks

6 Attack Motivation Vandalism and Publicity Financially Motivated Blending Motives Hacktivism Dec 2010 Operation Payback Mar 2011 Netbot DDoS LulzSec Sony, CIA, FBI Attack Risk CodeRed 2001 Nimda (Installed Trojan) 2001 Blaster 2003 Agobot (DoS Botnet) Slammer Republican (Attacking SQL sites) 2003 website DoS 2004 Storm (Botnet) 2007 Srizbi (Botnet) Rustock 2007 (Botnet) 2007 Estonia s Web Sites DoS 2007 Kracken (Botnet) IMDDOS (Botnet) July 2009 Cyber Attacks US & Korea Google / Twitter Attacks2009 Georgia Web sites DoS Mar 2011 Codero DDoS / Twitter Mar 2011 Operation Payback II Mar 2011 DDoS Wordpress.com Peru, Chile Time

7 Hacktivism - Becomes More Campaign-APT Oriented Complex: More than seven different attack vectors at once Blending: both network and application attacks Targeteering: Select the most appropriate target, attack tools, Resourcing: Advertise, invite, coerce anyone capable Testing: Perform short proof-firing prior to the attack Timeline: Establish the most painful time period for his victim Slide 7

8 Hacktivism - Becomes More Campaign-APT Oriented Sophistication measure Duration: 20 Days More than 7 Attack vectors Inner cycle involvement Attack target: Vatican Duration: 3 Days 4 Attack vectors Attack target: Visa, MasterCard Duration: 3 Days 5 Attack vectors Only inner cycle involvement Attack target: HKEX Duration: 6 Days 5 Attack vectors Inner cycle involvement Attack target: Israeli sites Slide 8

9 The Anonymous Arms Race Network Application Flood Low & Slow Vulnerability Based UDP Floods Dynamic HTTP RUDY Intrusion Attempts SYN Floods HTTPS Floods Slowloris SQL Injection Fragmented Floods Pyloris #refref FIN + ACK xerex

10 Digital Supply Chain Defense Integration In-the-Cloud Defenses Cloud Common Targets: DNS, ISP, CDN & CA/CRL Perimeter Defenses Network & Application (Outer) DefensePro Perimeter Common Targets: Firewalls, IPS, Routers, Load Balancers Advanced (Inner) Application Defenses AppWall Application Targets: Sessions, Connections, SSL Protected Online Services

11 2012 Security Report

12 Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow s Perimeter

13 Example Stock Exchange Attack Attack Vector Time Stamp Attack Peak Fragmented UDP Flood 1:00 AM 95 Mbps 10K PPS LOIC UDP 4:00 AM and 8:00 PM - 11:00 PM 50 Mbps 5K PPS TCP SYN Flood 1:40 PM 13.6 Mbps 24K PPS R.U.D.Y 4:00 PM 2.1 Mbps 0.7K PPS LOIC TCP 11:00 PM - 3:30 AM 500 Kbps 0.2K PPS Mobile LOIC 6:00 PM- 8:30 PM 86 Kbps 13 PPS #RefRef 9:45 PM Few packets

14 The Security Trinity Security Confidentiality, a mainstream adaptation of the need to know principle of the military ethic, restricts the access of information to those systems, processes and recipients from which the content was intended to be exposed. Confidentiality Integrity Security Integrity in its broadest meaning refers to the trustworthiness of information over its entire life cycle. Security Availability is a characteristic that distinguishes information objects that have signaling and self-sustaining Availability processes from those that do not, either because such functions have ceased (outage, an attack), or else because they lack such functions.

15 The Security Trinity Confidentiality Integrity Availability

16 Enterprise Encryption Database Security Compliance Oriented Activity Social Engineering Protection 2011 Sony 100M HB Gary - FBI AES Hack Apple 12M Data Leakage Protection 2005 Ameriprise 2009 Heartland 100M Rock You! 32M /- RSA 2-Factor Token Hack 2008 Countrywide 17M GE Financial 800K WEP Attacks TLS Attacks EAP Attacks L2LP Attacks 2007 TJ Maxx 45M The Gap 800K ARP Attacks PPTP Attacks SIP Attacks 2006 Boeing 386K Dept. of VA 29M AES Attacks VPN Attacks Application Exploits Network Exploits MITB Attacks 3DES Attacks Encryption & Authentication Weaknesses Financial 24M Lost IPv6 Encapsulated in IPv4 Hash Attacks SSL Attacks O/S Exploits Defenses Examples Attacks Vulnerabilities Confidentiality

17 The Security Trinity Confidentiality Integrity Availability

18 The Security Trinity Confidentiality Integrity Availability

19 2002 SSH2 Hack Hardware Security Modules (HSM) 2006 SSL / TLS Plaintext Attack 2008 US CERT: MD5 Hash Insecure Federated Identity Management Fraud & Scams Man-inthe-Middle O/S Exploits Anonymizers Malware Transmission Encryption Weaknesses Application Exploits ARP Attacks Unauthorized Authentication Network Exploits 2009 Encrypted Kernel Exploit Discovered Steganography Spoofing Keyloggers 2010 PCI: Kiss your WEP Goodbye! Rootkits Skimming Dec 2010 NIST: 1K Certs Not Recommended 2011 Browser Exploit Against SSL / TLS (BEAST) Released Nov THC SSL Attack Released Multi-Factored Authentication Public Key Infrastructure Network Access Control Fraud Detection / Hash Checksums Integrity Vulnerabilities Attacks Examples Defenses

20 The Security Trinity Confidentiality Integrity Availability

21 The Security Trinity Confidentiality Integrity Availability

22 ICMP Floods TCP Fragment Floods LOIC IGMP Floods ACK Floods Xerxes Feb 2010 Operation Titstorm: Australian Government Outages Hardware-Based Volumetric Protections RFC Violation Attacks HTTP GET Page Floods #Refref Application Exploits SSL Attacks Memory Allocation Attacks Socket Stress Nov 2010 Operation Payback Visa, MasterCard + other outages Web-Application Firewall Business Logic Brute Force Attacks Behavioral Technologies O/S Exploits SQL Attacks Plyoris Apr 2011 Operation Sony Play Station.com Outage, Leaked CC# Availability Vulnerabilities Concurrent Connection Attacks TCP SYN Floods Attacks Tools Examples Defenses RFC Exploits TCP Out-of- State Floods R-U-Dead- Yet (RUDY) June 2011 Operation Iran Iran Government Outages, Leaked s, Hacked IT Architecture Exploits Network Exploits SIP Attacks Architecture Improvements DNS Query Floods TCP SYN+ACK Floods Slowloris Session Attacks TCP RESET Floods TCP FIN Floods HTTP POST Floods TCP Stack Resource Attacks Leonitis Jun 2011 Operation AntiSec AZ Department of Public Safety Down Challenge / Response Technology HOIC HULK Jun 2012 AT&T DNS Outage & L3 ISP Outage Attacks Black / White / Access Control Lists

23 Size Does Not Matter. Honest. The impact of application flood attacks are much more severe than network flood attacks 76% of attacks are below 1Gbps!

24 Availability-based Threats Tree Availabilitybased Threats Network Floods (Volumetric) Application Floods Low-and-Slow Single-packet DoS ICMP Flood Web Flood DNS SMTP UPD Flood HTTPS SYN Flood Radware Confidential Jan 2012 Slide 24

25 R.U.D.Y (R-U-Dead-Yet) R.U.D.Y. (R-U-Dead-Yet?) R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool created by Raviv Raz and named after the Children of Bodom album Are You Dead Yet? It achieves denial-of-service by using long form field submissions. By injecting one byte of information into an application POST field at a time and then waiting, R.U.D.Y. causes application threads to await the end of never-ending posts in order to perform processing (this behavior is necessary in order to allow web servers to support users with slower connections). Since R.U.D.Y. causes the target webserver to hang while waiting for the rest of an HTTP POST request, by initiating simultaneous connections to the server the attacker is ultimately able to exhaust the server s connection table and create a denial-of-service condition. Slide 25 Radware Confidential Jan 2012

26 Main Bottlenecks During DoS Attacks - ERT Survey Slide 26 Radware Confidential Jan 2012

27 The Impact Confidentiality Integrity Availability Target / Operation Habbo Hal Turner Project Chanology Epilepsy Foundation AllHipHop Defacement No Cussing Club 2009 Iranian Election Protests Operation Didgeridie Operation Titstorm Oregon Tea Party Raid Operation Payback Avenge Assange Ope Bra

28 Defense Blind Spot Map Protection Purpose Firewall IPS WAF Router ACLs Next Gen FW Anti-DoS Appliance (CPE) DLP Cloud Anti-DoS Data-At-Rest Protections (Confidentiality) Data-At-Endpoint (Confidentiality) Data-In-Transit (Confidentiality) Network Infrastructure Protection (Integrity) Application Infrastructure Protection (Integrity) Volumetric Attacks (Availability) Non-Volumetric Resource Attacks (Availability)

29 Gartner Sep 2012: Anti-DoS BlindSpot

30 Gartner Sep 2012: Anti-DoS BlindSpot

31 Securing Tomorrow s Perimeter

32 What We Should Work Toward 100% Architecture Protection. Varied Deployment Models. Understand the behavior beyond protocol and content It s an eco-system.collaboration is key Emergency response & triage: Practice cyber war rooms Integrate offense into your security strategies. Slide 32

33 Perimeter Defense Planning

34 Perimeter Defense Planning Any gap in coverage represents a vulnerability. That will be exploited.

35 Perimeter Defense Planning

36 Key Notes: - Counter Attack s Comeuppance is Upon Us - Key IR Assumptions are wrong e.g. Law enforcement - Attack Mitigation Talent is Low. Knowledge must increase. - Corporate Policies are IR not ERT focused The Best Defense Is A

37 Anatomy of an Attack The Evolving Threat Landscape Securing Tomorrow s Perimeter

38 Adapting Perimeter Defenses Plan for 100% architecture protection Review your attack mitigation toolkit Assess infrastructure vulnerabilities to DDoS attacks Plan ahead Can t stop attacks without a game plan Emergency response & triage - Practice cyber war rooms Integrate offense into your security strategies Watch what s happening on the network Do you have signals? Assume attacks will be multi-vector in nature Partner with companies that know how to defend against persistent attacks

39 Thank You Carl Herberger VP, Security Solutions Radware